Malware Analysis Report

2024-09-09 12:54

Sample ID 240614-hrekbsyhnb
Target a86c4620064df65b29056f4dd28bc762_JaffaCakes118
SHA256 5efd0bd013f31c0852621053965330aec3819ddb9915a39988bbeded91f3faf4
Tags
banker collection discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5efd0bd013f31c0852621053965330aec3819ddb9915a39988bbeded91f3faf4

Threat Level: Likely malicious

The file a86c4620064df65b29056f4dd28bc762_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion impact persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests cell location

Queries information about running processes on the device

Queries information about active data network

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Requests dangerous framework permissions

Declares services with permission to bind to the system

Acquires the wake lock

Queries information about the current Wi-Fi connection

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:58

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 06:57

Reported

2024-06-14 06:58

Platform

android-x64-20240611.1-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 06:57

Reported

2024-06-14 06:58

Platform

android-x64-arm64-20240611.1-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:57

Reported

2024-06-14 07:01

Platform

android-x86-arm-20240611.1-en

Max time kernel

176s

Max time network

188s

Command Line

com.ddfun

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ddfun

com.ddfun:pushservice

com.ddfun:remote

getprop ro.build.version.emui

getprop ro.build.version.emui

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 api.joomob.com udp
US 1.1.1.1:53 is.snssdk.com udp
SG 103.136.221.67:443 is.snssdk.com tcp
SG 103.136.221.67:443 is.snssdk.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
US 1.1.1.1:53 api.123bo.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
US 1.1.1.1:53 ulogs.umeng.com udp
CN 223.109.148.141:443 ulogs.umeng.com tcp
US 156.224.228.100:80 api.joomob.com tcp
CN 47.97.111.90:80 api.123bo.com tcp
CN 47.97.111.90:80 api.123bo.com tcp
US 1.1.1.1:53 plbslog.umeng.com udp
CN 36.156.202.68:443 plbslog.umeng.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 156.224.228.100:80 api.joomob.com tcp
CN 47.97.111.90:80 api.123bo.com tcp
US 156.224.228.100:80 api.joomob.com tcp
SG 103.136.221.67:443 is.snssdk.com tcp
SG 103.136.221.67:443 is.snssdk.com tcp
SG 103.136.221.67:443 is.snssdk.com tcp
SG 103.136.221.67:443 is.snssdk.com tcp
US 1.1.1.1:53 sdk.open.talk.igexin.com udp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 223.109.148.176:443 ulogs.umeng.com tcp
CN 183.134.98.102:5224 sdk.open.talk.igexin.com tcp
US 1.1.1.1:53 sdk.open.talk.getui.net udp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 14.22.7.199:80 android.bugly.qq.com tcp
CN 223.109.148.179:443 ulogs.umeng.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
CN 223.109.148.130:443 ulogs.umeng.com tcp
CN 183.134.98.76:5224 sdk.open.talk.getui.net tcp
US 1.1.1.1:53 sdk.open.talk.gepush.com udp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:80 android.bugly.qq.com tcp
CN 223.109.148.178:443 ulogs.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp
CN 14.22.7.140:80 android.bugly.qq.com tcp
CN 223.109.148.177:443 ulogs.umeng.com tcp
CN 183.134.98.112:5224 sdk.open.talk.gepush.com tcp

Files

/data/data/com.ddfun/app_crashrecord/1004

MD5 7144ea004daa9e9ada85ff8685fd2be8
SHA1 972d2fcd1b71fdb4f5c5714da48833e359bb2014
SHA256 635e693e0201cbee2d29d595b6893334f83c2b647abb10ea5cb5922df1f0b5d9
SHA512 ff4cb92b7e68919bd014de58c39748c91c062e385857f1352f9ae06060195210d93d0d0289bd131df7f16d0a38abc1fb3bf5b53545988fa322c5e4b333ec9e4c

/data/data/com.ddfun/app_crashrecord/1004

MD5 a31264128a14482b30d9c2e517b63d0e
SHA1 0da16e6b33258c33e2f2932b6e7205e8a91c9619
SHA256 6b3eb9fda81d2adb4daba3db21bd42936a18f7e5d44e2ce234e33c28062c735b
SHA512 8e017046933faf9158426cbf36059457a5034116d58334664b1b5d9ddb528047031accdeaf11638f1e0880973bc6593be076f6734589f88e33d998810cb11c1c

/data/data/com.ddfun/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.ddfun/app_crashrecord/1004

MD5 b1c58f6e35ec5e62fd95e120d8e7c4f9
SHA1 db3d5e02c8ea2bf43d9e22e46d865d11d14d112b
SHA256 21212a468e996c2d3dc10519654e1bc924e3bc4d773a87a7d30d86a4332479c9
SHA512 f198ec21e51cc57d79980fff968eda1684aea1ea4652c2d9226b6853a18a0d2bf02983861cc4756e8eced6d942a4df196123678d833986573f6dbea9e34dfd04

/data/data/com.ddfun/databases/pushsdk.db-journal

MD5 1bb53851536ce8f28af3fa8b7a4c1ae7
SHA1 9415502186e485ba03968724c2e6a82f2720fb98
SHA256 dfea8d47de3c2eb2a7ad4d0e28293dc505a0651264e2709ca3f0a87cf626c753
SHA512 e3f0fe213630e4575142ee1011dbac80f6b152fa965b09748ab7ca7b89817e6e8479d023410e6b27d9823eb123762df1ce5840155924952d76e1d7ef4cdb8f1f

/data/data/com.ddfun/databases/pushsdk.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ddfun/databases/pushsdk.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ddfun/databases/pushsdk.db-wal

MD5 09706a2ea7ca19017965139e1467df5a
SHA1 ff84ae2d157c72fa8d11d6e579d7bd13792af134
SHA256 e8a5191e9c55ee587afad1e3cf93a16dec49bc53cba324c2f560bed723587bc9
SHA512 0a63d632fc365744e956e0817d9c8801d1db784e78f9bd69cc04760f7cd701cd40c991c8f88f1f53a93c17618c6ee1a7ed95d4fae4795632bcd2adf648715d5c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 06:57

Reported

2024-06-14 06:58

Platform

android-x86-arm-20240611.1-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A